News & Events


Despite the benefits that many team chat app users cite, some experts say the rewards aren't necessarily worth the risk. David King, senior manager of the internal audit, risk and compliance practice at professional services firm UHY Advisors, said he probably would not have allowed Slack in his previous position as a CIO at a hedge fund.

"I know people are trying to modernize email and make it more dynamic, but they also are giving up control," King said.

He added that the new, stand-alone team messaging apps don't yet compare to traditional enterprise-level services in terms of maturity and security, and suggested that most organizations can use their existing products to meet internal communication needs.

"You have to know how the messages are being protected and retained," King said. "None of these team-based applications have focused on that as part of their service. It just doesn't feel like we are there yet."

He worries about scenarios like quarterly results being shared over an unsanctioned Slack channel ahead of a data breach, calling the likelihood of such a scenario unfolding "high."

If a CTO does decide to consider a team chat app, King recommended putting the platform through its paces on the risk management side -- building a use case and subjecting it to the regular channels of due diligence.

"Once it is deployed, IT should have a way to turn off access to the application when employees leave and to stop unauthorized use on the network," he said.

Lysa Myers, security researcher at security software company ESET, worries that as these messaging applications get more popular, they'll become a bigger target for hackers. And she added users themselves are the biggest problem.

"Are they talking about things that they shouldn't be talking about on an unencrypted channel? Most people will not go the extra step of turning on encryption," she said.

Myers encouraged IT to get specific about policies and what can and cannot be discussed over team chat app channels. For instance, hospital workers should never share any information protected under Health Insurance Portability and Accountability Act privacy rules, in case the platform is hacked.

"Users have to understand these are not the most secure venues, as well as the consequences if they break the rules," she said.

Like King, Myers urged IT managers to weigh a given messaging platform's approach to security, conducting a thorough risk assessment before adoption.

She hopes that team chat app vendors themselves will start to enact more secure coding practices, but until then, enterprise IT departments must stay attentive.

Click here to read full article.